PenetrationTesting andVulnerability Analysis
Dan Guido
Fall 2011
Vulnerability Disclosure
Background
3
Let’s Talk About Vulnerabilities
*IBM X-Force 2010Trend and Risk Report
4
The Vulnerability Industry
 Companies pay to have them tracked
 ZDI, iDefense, Secunia, Symantec
 Used as marketing t...
5
The Vulnerability Underground
 Rapidly consumed by mass malware
 Crimepacks like Blackhole, Eleonore, and Mpack
 Used...
How We Got Here
7
The Early Days
 Limited discussion of general security issues pre-89
 Rutgers Security List
 UNIX Security Mailing Li...
8
Private Communities Evolved
 Then the MorrisWorm happened in 1988
 Now it’s a problem and everyone knows it
 Invite-o...
9
Full Disclosure
 Eight Legged Groove Machine Security Advisory Service
(8LGM) releases first modern advisories in ‘93
...
10
11
Full Disclosure Continues
 Issues with full disclosure
 Creates a problem to force vendors to act
 “If you don’t rea...
12
Responsible Disclosure
 Worms in the early 2000s made some reconsider FD
 ILOVEYOU, Code Red, Code Red II, Nimda, Sad...
13
Current Status
 CoordinatedVulnerability Disclosure
 “We swear we won’t sue you”
 Vendor acceptance of responsibilit...
14
The Rise of Bug Bounties
Company Scope Bounty URL
Google Web and Native $500 - $3133.7 http://goo.gl/5LCJs
Facebook Web...
15
Trends in Disclosure
No
Disclosure
(1950-1988)
Private
Communities
(1988-1993)
Full
Disclosure
(1993-
~2002)
Responsibl...
16
My Thoughts
 FD was necessary due to lack of awareness of impact
 Companies hacked in August 2011 – United Nations, N...
17
Ethics
 The CS6573Vulnerability Disclosure Policy
 We follow CoordinatedVuln Disclosure (CVD)
 Shared responsibility...
18
Resources
 Legal Issues
 eff.org/issues/coders/grey-‐hat-‐guide
 eff.org/issues/coders/vulnerability-‐reporting-‐faq...
Upcoming SlideShare
Loading in...5
×

Vuln disclosure

247
-1

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
247
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Vuln disclosure

  1. 1. PenetrationTesting andVulnerability Analysis Dan Guido Fall 2011 Vulnerability Disclosure
  2. 2. Background
  3. 3. 3 Let’s Talk About Vulnerabilities *IBM X-Force 2010Trend and Risk Report
  4. 4. 4 The Vulnerability Industry  Companies pay to have them tracked  ZDI, iDefense, Secunia, Symantec  Used as marketing tools by orgs and individuals  CORE,VUPEN,Tavis  Purchased by vendors  Google, Mozilla, Barracuda, Facebook  Consulting industry revolves around vuln mitigation  iSEC, Matasano, GDS, Intrepidus, etc etc
  5. 5. 5 The Vulnerability Underground  Rapidly consumed by mass malware  Crimepacks like Blackhole, Eleonore, and Mpack  Used for fun by script kiddies everywhere!  Anyone see kernel.org get compromised last week?  Discovered in the wild fairly regularly  Flash, Shockwave, IE,Windows kernel  APT groups, coordinated exfil of IP from US corps
  6. 6. How We Got Here
  7. 7. 7 The Early Days  Limited discussion of general security issues pre-89  Rutgers Security List  UNIX Security Mailing List  Somewhat earlier, a wild Phrack appeared  First published in 1985  Original hacker e-zine, attacker-focused  Helped organize a community around offense  Security is a problem, but nobody knows it yet
  8. 8. 8 Private Communities Evolved  Then the MorrisWorm happened in 1988  Now it’s a problem and everyone knows it  Invite-only mailing lists set up in response  Zardoz, Phage, and Core  MASSIVE target for hackers  http://www.underground-book.net/  Actually described zardoz as “The Holy Grail”  Archives widely circulated underground, parodied in Phrack  Limited motivation to act if details are private  “Hey, this is interesting”  Brittle and ineffective at stated purpose
  9. 9. 9 Full Disclosure  Eight Legged Groove Machine Security Advisory Service (8LGM) releases first modern advisories in ‘93  http://www.8lgm.org  Basic format remains unchanged through today  Affected software and OS’s  Description of impact  Fix and workaround information  Reported to vendor and to the public  Extremely controversial at the time  Trend continued by l0pht and eEye throughout the 90s
  10. 10. 10
  11. 11. 11 Full Disclosure Continues  Issues with full disclosure  Creates a problem to force vendors to act  “If you don’t react, I’m giving this to a bunch of 15 yr olds”  Lack of clarity around vuln research legal issues  Vendors first instinct is to get lawyers involved  Underground industry evolved around available info  Mass malware survives almost entirely on full disclosures  It’s not 1995 anymore! Script kiddies grew up too!  Full disclosure bottom line  “Researchers” keep at it b/c it makes them famous  Has FD resulted in a reduction of attacks? Hardly
  12. 12. 12 Responsible Disclosure  Worms in the early 2000s made some reconsider FD  ILOVEYOU, Code Red, Code Red II, Nimda, Sadmind, Slammer, Blaster, Sobig.F, Agobot, Bagle, Nachi…  Most worms reused code released by researchers  “ResponsibleVulnerability Disclosure Process”  Submitted to IETF by Christey andWysopal in 2002*  Responsible – researcher withholds info until patch  Responsibilities targeted at researchers, not vendors  Branded researchers as irresponsible, bred contempt * http://tools.ietf.org/html/draft-christey-wysopal-vuln-disclosure-00
  13. 13. 13 Current Status  CoordinatedVulnerability Disclosure  “We swear we won’t sue you”  Vendor acceptance of responsibility for security issues  vendorsec Mailing List  Invite-only mailing list for sharing vulnerability details  Identified as compromised in March 2011  Remember kids, learning from your mistakes is evil  Delayed Disclosure  Issue PR release and do newspaper interviews about vuln  Usually incites researchers to co-discover. Oops!  Disclose at an enormous conference 3 months later  Maximize marketing benefit, self-interested
  14. 14. 14 The Rise of Bug Bounties Company Scope Bounty URL Google Web and Native $500 - $3133.7 http://goo.gl/5LCJs Facebook Web $500 http://goo.gl/w3Kuu Mozilla Web and Native $500 - $3000 http://goo.gl/NRwpe Barracuda Appliances $500 - $3133.7 http://goo.gl/1SKGU ZDI Popular Software $500 - $5000 http://goo.gl/OEnc8 …plus a litany of smaller projects like: tex, tarsnap, djbdns, qmail, hex rays, and ghostscript
  15. 15. 15 Trends in Disclosure No Disclosure (1950-1988) Private Communities (1988-1993) Full Disclosure (1993- ~2002) Responsible Disclosure (~2002-2010) Bug Bounties (2010- Present)
  16. 16. 16 My Thoughts  FD was necessary due to lack of awareness of impact  Companies hacked in August 2011 – United Nations, News Corp, RIM, HKEx, eBay, Nokia, DigiNotar…  Focus on vulnerability mitigation assumes that attackers are constrained by access to them  Vulns abused by mass malware / year: ~15  Vulns discovered in-the-wild by APT / year: ~15  “The Exploit Intelligence Project”  http://vimeo.com/24329182  http://goo.gl/04XFp
  17. 17. 17 Ethics  The CS6573Vulnerability Disclosure Policy  We follow CoordinatedVuln Disclosure (CVD)  Shared responsibility of researcher and vendor  Report through a 3rd party such as CERT or ZDI  Reduce exposure to legal issues  Make every effort to limit impact to users  No details until patches available, unless…  If the vendor isn’t playing ball, disclose  http://go.microsoft.com/?linkid=9770197
  18. 18. 18 Resources  Legal Issues  eff.org/issues/coders/grey-‐hat-‐guide  eff.org/issues/coders/vulnerability-‐reporting-‐faq  Places that handle disclosure for you  CERT - https://forms.cert.org/VulReport/  oCERT - https://www.ocert.org/  ZDI - http://www.zerodayinitiative.com/  History  http://securitydigest.org/  http://www.underground-book.net/
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×